Network segmentation as a security technique: how to make it work for your organization
- Published: Thursday, 20 September 2018 07:01
Whilst network segmentation is not a new approach, it is very relevant to assisting organizations protect themselves against cyber attacks. However, its implementation and long-term maintenance is a major challenge for many companies. In this article Andrew Lintell provides some useful pointers.
Corporate networks have quickly become more and more complex. Change requests are regularly processed in the hundreds by IT security teams, which are then applied to company owned network devices. As a result, underlying network configuration processes increase in size and complexity, impacting the resources needed to manage the required changes. These changes affect all environments, from multi-vendor firewalls and routers, to SDN and hybrid cloud platforms. The sheer size of the modern network therefore makes it increasingly difficult for companies to manage the complexity that comes with it. Cybercriminals are ideally positioned to take advantage of this confusion, which has left businesses scrambling to safeguard their networks from both targeted and automated attacks that penetrate the network by capitalising on overly permissive access policies.
A popular approach to meeting these initial network security challenges is network segmentation, where applications and infrastructure are divided into segments, so that threats can be contained and prevented from spreading to other areas. In the event that the attack exploits an existing service, monitoring can be prioritised, and vulnerable access rules assessed to direct incident response and mitigation.
Whilst network segmentation is not a new approach, it is by no means outdated. However, the definition of effective network segmentation, its implementation and long-term maintenance is a major challenge for many companies, especially in the face of new stringent privacy regulations and frequent changes to the infrastructure footprint through the adoption of the cloud. So, how can companies guarantee the effective implementation of network segmentation practices, while considering all the complexities of a corporate network? And how can they achieve their ideal state of limited access in granularity?
Begin with the basics
The first step is to evaluate the actual situation: What do businesses need from their network and how should they choose to divide it? To put it simply, individual departments are often keen to contain their applications within their own subsection or unit, which is entirely logical and a necessary step towards ensuring that sensitive data doesn’t find its way into the wrong hands.
Further than this, segmentation is a crucial consideration for businesses to demonstrate best practices to align with the General Data Protection Regulation (GDPR). Under the new regulation, organizations need to track access to data pertaining to residents of the EU. After dividing the corporate network into individual segments or security zones, or tagging applications, IT managers will need to ensure the provisioning of minimal required access to those zones or applications. Above all, highly sensitive areas should be proactively monitored to identify if unnecessary access can be removed.
Not a one-time job
The often-heard phrase ‘Security is a journey, not a destination’ certainly applies here. Network segmentation is not a one-time project, but an ongoing process that requires continuous maintenance. Network systems are constantly in need of updating, whether it is driven by new business requirements, new devices or new software. To effectively segment networks, companies should consider:
- Monitoring network traffic within each segment to gauge normal levels of activity.
- Reducing access to particular segments via firewalls to minimise exogenous threats.
- Separating data assets by regulatory mandates, providing more visibility into what the protected assets contain, and what measures need to be taken to reduce risk.
- Continuously monitoring for violations and threats to the network, so changes can be made in real-time, baking risk analysis into the change management process.
- Conducting regular internal audits to ensure prior changes in firewall policy haven’t introduced risk.
One step further: microsegmentation
Depending on the maturity and complexity of the company, as well as its business requirements, microsegmentation serves as a pragmatic solution to managing network access through a more dynamic and application-specific approach. Using microsegmentation, the individual segments are broken down even further – even down to the application and user levels. In these cases, access to data is only granted to a pre-defined security group of users that is carefully managed by the security team. The group can be easily modified to reflect changes in personnel, and access is provided between the specific security group and the specific application. Rather than treating networks as broader segments of users, microsegmentation allows you to employ security from the start in a manageable way.
Microsegmentation can be achieved with physical networks, as well as private and public cloud networks using software-defined network technologies for managing advanced cloud infrastructures. This requires comprehensive segmentation solutions that address the hybrid cloud and heterogeneous networks, thereby enabling IT security teams to effectively maintain and visually manage a microsegmentation policy for their organization.
In a constantly changing business environment, it is imperative to ensure that this volatility does not increase the attack surface, exposing the company to a network breach. The right automation tools can empower the solution to mitigate significant security risks by fostering a security-first mentality when it comes to meeting change requirements and reducing the complexity and time required to manage network changes continuously.
It can also help ensure the effective segmentation of networks, although a balance must be reached. Businesses must be aware of overcomplicating the management of the different groups and getting too granular with the control.
Maintaining the desired network segmentation can therefore be a difficult task given the complex nature of security policies, and the fact that constant change requests are now the norm in most companies. However, if the network is divided into smaller zones, an attack on one segmented area cannot spread to another, creating a much more secure infrastructure overall and significantly bolstering network security. Ultimately, businesses must avoid over-segmenting the network and maintain a central console to effectively manage a micro-segmented network across multi-vendor, physical and cloud platforms.
Andrew Lintell is Regional Vice President at Tufin.